lyric2249 opened a new pull request, #69773:
URL: https://github.com/apache/airflow/pull/69773

   `FabAuthRolePublicMiddleware` (added in #65685) sets `request.state.user` 
for anonymous requests when `AUTH_ROLE_PUBLIC` / `[fab] auth_role_public` is 
configured, but never sets `request.state.user_authenticated_via`. Core's 
`get_user()` dependency requires both attributes before it will trust a pre-set 
user and skip JWT validation, so anonymous requests still fall through to JWT 
validation and get rejected with 401 even though the public role is configured 
correctly.
   
   This sets the same trust marker `JWTRefreshMiddleware` already sets, so both 
middlewares satisfy the same contract that `get_user()` checks.
   
   The existing `test_sets_public_user_when_no_auth_present` test already 
exercises this exact code path, so it is extended with one assertion for the 
new attribute rather than adding a separate test; no existing assertions were 
changed or removed.
   
   related: #60897
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Code (Sonnet 5)
   
   Generated-by: Claude Code (Sonnet 5) following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to